Has Walmart opened itself up to “Denial of inventory” attacks?

Walmart's new web cash payment option could be turned against itself.

On April 26, Walmart's e-commerce site launched a pay-with-cash feature, allowing shoppers to reserve products for pickup for shipment and pay for them at a local Walmart store. While the feature opens up e-commerce to a larger number of potential transactions—including purchases by teenagers and others without credit cards—it also has opened up the company to potential attacks against its inventory system, using the e-commerce site against the company.

The cash-based payment program, which among other things required millions of dollars worth of changes to Walmart's in-store point of sale systems, gives customers 48 hours to come into a Walmart store with an order number to pay for it. When the customer pays a Walmart "associate," a button on the point-of-sale system connects to the Walmart.com e-commerce site and completes the online transaction.

But as Evan Schuman of retail technology trade site StorefrontBacktalk has reported, that system could be used to jam up Walmart's logistics system—allowing a competitor or other party to perform a "denial of inventory" attack on items that may be in high demand and short supply (such as hot holiday gift items around Black Friday).

Such an attack could be launched through a botnet using "webinject" malware to make scripted Web requests, or via other more manual means, spreading out transactions geographically. An e-commerce competitor seeking an advantage during peak shopping days, for example, could try to limit the number of customers who could purchase a limited-availability item—reducing Walmart's sales.

In an interview with Ars, Schuman said that Walmart had considered the risks posed by the program—during the three-and-a-half years the program was under development—but decided it was not a major issue, based on the belief that such an attack would be easily picked up by fraud detection systems. He said that contacts at Walmart had told him the company anticipates 20 percent of online cash purchases will be abandoned—the customers will never come in to pay for them.

Ravi Jariwala, a Walmart spokesperson, told Ars in an e-mail that Walmart has "systems in place that allow us to closely monitor 'Pay with Cash' transactions and flag suspected fraudulent orders immediately." He added that Walmart can disable cash purchases for "specific items and events, such as the day after Thanksgiving," and will continue to tweak the service to reduce the threat of fraud.

I worked for walmart while this was being developed. Here's how it works:

1. Order posted2. Store pickup and payment selected3. Alert goes out to a WM associate with a handheld.4. Associate has to process the order request fully in order to remove the item from inventory5. Orders are stored where Lay-away used to be located, for ease of access.6. If the expiration date of the item passes, it's taken back to the backroom and put back into inventory.

If someone decided to spam walmarts with orders, those orders will bog down the associates trying to work through them, and one of two things will happen. The associate will say "F this." and not do it, or alert their boss, and someone will either clear the orders or help fill them. The attack assumes that items are removed from inventory automatically upon online order, and that is false.

Finally, doing a denial of inventory attack on walmart to disrupt inventory across thousands of stores nationwide will raise a rather large flag, and be ridiculously hard to design.

This service is common in many shops in the UK. This is the first I've heard of it being able to be attacked like this - it seems very unlikely.

Also is WalMart really the first shop in the US to offer this? We've had it for at least 5 years if not more...

It is unusal in the US because it isn't needed. Almost everyone has credit cards. They can simply shop online and pay with the CC. Many people have multiple credit cards and thousands of dollars of debt on them on average.

With the amount of volume that Wal-Mart operates on, as well as the general availability of most of their products (they aren't exactly selling rare, high-end audio equipment or ultra-expensive jewelry), even if someone did put a reserve on every single $500 barbeque grill in the state for an entire summer, I suspect that it would barely register as a blip on the store's quarterly sales figures.

This service is common in many shops in the UK. This is the first I've heard of it being able to be attacked like this - it seems very unlikely.

Also is WalMart really the first shop in the US to offer this? We've had it for at least 5 years if not more...

It is unusal in the US because it isn't needed. Almost everyone has credit cards. They can simply shop online and pay with the CC. Many people have multiple credit cards and thousands of dollars of debt on them on average.

I don't think the popularity here in the UK stems from lack of payment methods, it's just more convenient to be able to pick something up rather than having to wait in for a delivery. They also don't charge for the service - making it cheaper.

Some of the retailers require you to pay in advance, perhaps highlighting the convenience element

There are plenty of retailers that let you pick stuff up at the store. What's different about Walmart's system, as far as I can tell, is the ability to have them put the item "on hold" pending cash payment at the time you pick it up. And that's where the risk is to Walmart -- having inventory "on hold", without being paid for.

This service is common in many shops in the UK. This is the first I've heard of it being able to be attacked like this - it seems very unlikely.

Also is WalMart really the first shop in the US to offer this? We've had it for at least 5 years if not more...

It is unusal in the US because it isn't needed. Almost everyone has credit cards. They can simply shop online and pay with the CC. Many people have multiple credit cards and thousands of dollars of debt on them on average.

I don't think the popularity here in the UK stems from lack of payment methods, it's just more convenient to be able to pick something up rather than having to wait in for a delivery. They also don't charge for the service - making it cheaper.

Some of the retailers require you to pay in advance, perhaps highlighting the convenience element

There may be a miscommunication, here.

Lots of stores have order online, pick up in store options. Including Wal-Mart well before now. This story is specifically that Wal-Mart will now allow you to order online and pay with cash in-store, whereas previously they required you to complete the purchase online, then come into the store to pick up the item.

So it's not that online ordering with in-store pickup is novel, it's the bit where you reserve the item online without any money changing hands, thereby (in theory) allowing nefarious inventory shenanigans to be perpetrated by /b/.

I'm working on the rewrite of the webshop of a few major electronics retailers here, and this functionality is currently offered and will continue to be offered. The risk of DoS is really almost non-existent, especially because a store employee has to move the product from a sellable location to a reserved location. Until that happens, the stock isn't really locked down. So you can send in 10000 store pick-up orders, but that amount will never be really reserved until a guy in the store mindlessly follows up those 10000 reservation commands.

However, for the rewrite it was requested by the client that if you put something in your shopping cart on the site, the available stock for the product has to be adjusted immediately as well to reflect the amount "reserved" by the shopping cart. I did talk them out of this as the risk of a DoS attack is quite high here and trivial to perform: just put all available iPads in your shopping cart and keep your session alive (and in our case, the shopping cart is permanent for a logged in user). No one would be able to order one any more.

Quote:

It is unusal in the US because it isn't needed. Almost everyone has credit cards. They can simply shop online and pay with the CC. Many people have multiple credit cards and thousands of dollars of debt on them on average.

Yeah, but this has the advantage of being able to go to the store and pick up the product at your leisure. You don't have to wait for the package to ship nor do you have to be at home to receive the package. I could myself using this, especially as WalMarts are open after office hours so on the drive home you could just pick up your product, and you know it's still reserved to you and available, rather than the frustration that is waiting for a package that only ever gets delivered while you're not at home.

This sounds like Microcenter's system. I'd never been to one of their stores and on a whim decided to have them pick my goods from the shelves ahead of time. Glad I did it, because the normal checkout line was at least 50 people deep, and the pick-up window was 0 people deep.

I paid with a debit card, but could have chose cash as well (payment was not made online, but in-store).

I was able to order for in-store pickup without paying at one of the office warehouse stores a few years ago, although the employee at the store was kind of weirded out by it when I got there. I don't thinks this is actually novel, other than Walmart is bigger than most other stores, and has a reputation for attracting clients lower on the income scale, who are much more likely to be 'unbanked'. I don't think it's true that everyone in the US has credit cards, there is a large minority that don't have credit cards or a bank account.

Stores have been doing order online pickup in store for ages. This really isn't any different.

There was a store back in the 80's around here called BEST that even did it. Hell JCPenney does it too, its called catalog pickup, just because you don't use a phone, and you instead use a PC, the concept doesn't change. It saves you the hassle of going and finding it, they do it, and you walk up and grab it.

I have yet to see how this is revolutionary. Just because its cash onsite? Guess what, so is going to the store and buying it right there.

I'm wondering why this is news as the automotive parts world has worked like this for decades - way before web sites. You'd only pre-pay for something massively expensive, build-to-order, or truly special order and even then, it was usually just a nominal deposit. One of the big parts chains (O'Reilly Auto, if memory serves) has even had the post-pay web-to-local option for a number of years now.

Guys - so far NOBODY posting seems to understand how Wal-mart's new system is different from others.

This is not just a order online and then pay in cash and pick up at the store systemThis is three steps:

1) Order online2) Pay cash at store3) Receive item shipped to home or to store at later date

Steps 2 and 3 are distinct and that's what makes wal-mart's new system unique.Personally I think it is fantastic. I stopped using credit cards 6 months ago because I am tired of Big Data stalking the crap out of me. But that choice has made it nearly impossible to buy stuff online. Wal-mart's new system lets me buy stuff online and use a pseudonym to evade Big Data.

Other stores like Sears and JCPenny are almost there - I can walk into a store and order something from their warehouse and pay with cash. But I still have to get a sales person to walk through their internal website first. Wal-mart has just simplified it.

Are we talking layaway paid in cash or site-to-store paid in cash? In the case of the latter I see how it could be abused to route an entire DC's worth of product to one store. Retail corporate freight systems tend to be very good at moving lots of boxes around, not so much about making sure the moves are correct, or sane.

Yeah, but this has the advantage of being able to go to the store and pick up the product at your leisure. You don't have to wait for the package to ship nor do you have to be at home to receive the package. I could myself using this, especially as WalMarts are open after office hours so on the drive home you could just pick up your product, and you know it's still reserved to you and available, rather than the frustration that is waiting for a package that only ever gets delivered while you're not at home.

You might think so. But when I went to pick up the only item I've ever ordered from Wal-Mart's ship-to-store system...an item which I was assured had arrived a week previously...it wasn't there when I went to pick it up. Reading between the lines, I got the impression that it had been stolen from the storage area. Which meant that I next had to go to the long customer service line and wait in line for a refund. (While still in the store, I ordered a similar item from Amazon.)

Guys - so far NOBODY posting seems to understand how Wal-mart's new system is different from others.

This is not just a order online and then pay in cash and pick up at the store systemThis is three steps:

1) Order online2) Pay cash at store3) Receive item shipped to home or to store at later date

Steps 2 and 3 are distinct and that's what makes wal-mart's new system unique.Personally I think it is fantastic. I stopped using credit cards 6 months ago because I am tired of Big Data stalking the crap out of me. But that choice has made it nearly impossible to buy stuff online. Wal-mart's new system lets me buy stuff online and use a pseudonym to evade Big Data.

Other stores like Sears and JCPenny are almost there - I can walk into a store and order something from their warehouse and pay with cash. But I still have to get a sales person to walk through their internal website first. Wal-mart has just simplified it.

My comment about the automotive parts industry having worked this way for many, many years still applies.

This service is common in many shops in the UK. This is the first I've heard of it being able to be attacked like this - it seems very unlikely.

Also is WalMart really the first shop in the US to offer this? We've had it for at least 5 years if not more...

It is unusal in the US because it isn't needed. Almost everyone has credit cards. They can simply shop online and pay with the CC. Many people have multiple credit cards and thousands of dollars of debt on them on average.

This isn't for in-store pickup. The order is fulfilled by the ecommerce group and shipped.

This service is common in many shops in the UK. This is the first I've heard of it being able to be attacked like this - it seems very unlikely.

Also is WalMart really the first shop in the US to offer this? We've had it for at least 5 years if not more...

It is unusal in the US because it isn't needed. Almost everyone has credit cards. They can simply shop online and pay with the CC. Many people have multiple credit cards and thousands of dollars of debt on them on average.

This isn't for in-store pickup. The order is fulfilled by the ecommerce group and shipped.

the first line in your article seems to conflict with what you just said in comments: "On April 26, Walmart's e-commerce site launched a pay-with-cash feature, allowing shoppers to reserve products for pickup at a local Walmart store."

I don't think Walmart needs any help creating a Denial of Inventory. They are pretty good at doing that themselves. I think much of their business model is based on selling you things you were not intending to buy before coming into the store, because they keep their inventory levels so tight, there is a good chance you won't find what you are looking for.

If this becomes a problem, they'll probably just move all sorts of crap they want you to buy to the aisles near the things they run out of.

This service is common in many shops in the UK. This is the first I've heard of it being able to be attacked like this - it seems very unlikely.

Also is WalMart really the first shop in the US to offer this? We've had it for at least 5 years if not more...

It is unusal in the US because it isn't needed. Almost everyone has credit cards. They can simply shop online and pay with the CC. Many people have multiple credit cards and thousands of dollars of debt on them on average.

This isn't for in-store pickup. The order is fulfilled by the ecommerce group and shipped.

So does the system work this way:

1. Shopper 'purchases' item online2. Shopper goes to store to pay3. Item is then shipped from warehouse to the store (or possibly the customer?)4. If not shipped directly to the customer, the customer then goes to the store to pick up the item?

If it works this way there doesn't seem to be much of a chance of DoS attack - the order isn't actually filled until paid in full.

If, on the other hand, as soon as someone clicks the 'I'll pay for it at the store' button the item is shipped to the store to await pickup, the system could be gamed by competing businesses, or more likely, griefers.

What happens if the item is in stock at the store and doesn't need to be shipped from the warehouse, is it just pulled aside, or does that not happen until it's paid for?

I don't think Walmart needs any help creating a Denial of Inventory. They are pretty good at doing that themselves. I think much of their business model is based on selling you things you were not intending to buy before coming into the store, because they keep their inventory levels so tight, there is a good chance you won't find what you are looking for.

If this becomes a problem, they'll probably just move all sorts of crap they want you to buy to the aisles near the things they run out of.

I've never experienced inventory shortages at Wal-Mart, but I do often end up buying other things than what I planned just because they seem to lay out the stores in the most inconvenient way possible so that I have to walk a circuit around the entire place just to pick up what I need.

I try to avoid Wal-Mart as much as I can because the carts always seem to have a broken wheel, they never have baskets for when I just need to grab a couple times, and it takes me half an hour just to trudge through the store to find what I wanted. On the other hand, if I need to pick up allergy medicine, a pair of pants, diet coke, and bug spray at 10:30pm, I don't have any other options. If this service would let me shop online and just fill a basket with what I want, and have one of the Wal-Mart employees run around the store to gather it all up so I can just run in, pay for it at customer service and pick it up right there, I could see myself using it.

Maybe Wal-Mart feels the need to gain a competitive edge on the Amazons of the world but I don't know how much this will get used. Sounds like a huge pain in the ass for marginal gains in sales. If it does work out it suggests to me there is a market for cash funded online credits. Maybe add money to a pay pal type account at a bank, a check cashing place or convenience store or something. For the prepaid phone crowd.

On a side note I blame Wal-Mart for exporting much American productivity to China while running the Mom and Pops out of business and sucking people in with inferior quality goods while paying sub-living wages. I delight to shop there as little as humanly possible. If this blows up on them I can't say I will feel sorry because I don't think they have been a net positive for our society. And now they are probably just too big to fail (at least in some communities) which is really an untenable situation.

Sounds good to me. It's like a personal shopper. I go to pick it up, check over each item before I pay for it, and only leave with what I want. It's perfect and no hassle if I want to reject or return something.

Edit: Now for other stores here in NA to do this, because I don't go to Wal-Mart.

However to clarify, most (all?) shops in the UK that run this system are both collect in store and pay in store (however you want cash, card, etc.) and I've never heard of any DOS issues arising from it...

This has been in many major UK stores for years (Argos, Tesco and B&Q to name three large companies - Tesco being bigger than Walmart-Asda here).And yes, I mean, "no payment until you get to the store".The stores do this because it's easier to handle the payment on collection than it is to have to worry about people forgetting to pick-up and then having to refund them (the store would pay credit card handling fees for the refunds).So far it hasn't caused chaos in our retail economy. Still, Wallmart are a big company so they might attract a trolling attack from disgruntled ex-minimum wage 'associates' who worked there to pay tuition on their comp-sci courses (i.e. anonymous). Op-Drain-Walmart-Dry-Of Justin-Bieber-CDs would be about as malicious as it gets!

The article is very ambiguous on how this works. Is the item reserved at a store (from in-store stock)? Is is issued from main warehouse stock? If so is it sent to store for pickup or sent direct to the customer?If it's the latter option, then it's new - but it seems a bit silly. I suppose it would be less vulnerable to attack than a system where the warehouse ships to store (incurring costs) before payment takes place (this is what Tesco do in the UK).

Order online > pay and pickup at the store - this is new and it's ripe for LULZ-type abuse

Maybe new in the USA, in Denmark it is common.

Stores use it for products that doesn't sell at a huge volume and takes up a lot of space.

Take for example a small stove, example used because I am contemplating getting one, not a lot of people purchase these. So it would suck for each store of the chain in my town to have to stock these stoves. Instead you order the stove online and specify which store you'll pick it up at, and the central warehouse then delivers the stove to the specified store.

Then you can come and pay and get your stove the next day.

---

Yeah, if you were an asshole you could orders tons of stoves and crap to various stores for the lulz. Because you pay at the pickup.

So it's not that online ordering with in-store pickup is novel, it's the bit where you reserve the item online without any money changing hands, thereby (in theory) allowing nefarious inventory shenanigans to be perpetrated by /b/.

As mentioned earlier, there's quite a few companies doing that already in the UK and they've had no problems. Dixons store group (Currys Digital, PC World and a couple of others) all offer it, as I think does Tesco Direct and Maplin. Not who else since I don't really use it (prefer to just check stock then go in), but I'm sure there are others

the first line in your article seems to conflict with what you just said in comments: "On April 26, Walmart's e-commerce site launched a pay-with-cash feature, allowing shoppers to reserve products for pickup at a local Walmart store."

The first sentence (quoted above) conflicts with the second paragraph in the article. No wonder everybody is confused.

Sean Gallagher / Sean is Ars Technica's IT Editor. A former Navy officer, systems administrator, and network systems integrator with 20 years of IT journalism experience, he lives and works in Baltimore, Maryland.